Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

ANNOUNCEMENT: Answers is being migrated to a brand new platform! answers.splunk.com will be read-only from 5:00pm PDT June 4th - 9:00am PDT June 9th. Please read this Answers thread for all details about the migration.

Welcome to Splunk Answers! Not what you were looking for? Refine your search.

Unable to search/index the uploaded text file in the newly built test machine?

0

Hi, I have recently setup an single instance test machine in our environment, with splunk version as 6.6.1 in Linux environment (VM Platform) The same test machine is connected with the license master.

My agenda was to test a upgrade Paloalto add-on app 6.0.2 in this machine before pushing the config to Prod env, so pushed the updated Paloalto add-on to /opt/splunk/etc/apps/Splunk_TA_Paloalto/. Then upload a raw text file taken from my production machine and uploaded in the test machine via Splunk web --> settings --> Add Data -- Uploaded text file -- selected the sourcetype -- assigned to newly created index called Firewall --review --submit -start searching. But unable to see any data being indexed.

Note: Index location is given default "/opt/splunk/var/lib/splunk/firewall/db --> I could see the file called Creationtime in this location other then this there is nothing present in this location.

People who like this

1 Answer

The above issue got fixed, on investigating the problem we found that outputs.conf file was configured in with below stanza, due to this all the data when we uploaded via splunk test portal, the data was being ingested in to production.

Steps :

1) Checked by executing the index="_internal" and found that there was no data being ingested. This showed that some thing is really going wrong as we could not see the splunk internal data.2) Executed splunk btool command to find out outputs.conf list to check the configuration

./splunk btool outputs list --debug | less

3) We found that in one of the app, the out puts.conf was configured to route the data to the production indexers.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.